The Cloudflare Poison

elias_griffin, 15 days ago

The name sounds akin to “mass gaslighting”?

iarigby, 16 days ago

It is very weird that tools that support “onion” ssl - some way that would allow one layer of encryption for your “allowed” mitm which would keep almost all the request encrypted with key for the server.

Scolding0513, 16 days ago

exactly my thoughts, i been wanting look into this. seems like they are trying to MITM even onion traffic

TheAnonymouseJoker, 16 days ago

I explicitly block Cloudflare and Google domains fully, until and unless it is a website with no privacy repercussions or throwaway account possibilities. If it is something I legally purchase and requires their captcha, I can tolerate it unless I can avoid.

People are too used to submitting or cucking themselves. I am not such a person.

Deebster, 16 days ago

If you’re blocking everything that’s proxied via Cloudflare or hosted on Google, the internet must be a very small place for you. I think even a third of Lemmy is behind Cloudflare.

TheAnonymouseJoker, 16 days ago

I do not directly use Lemmy world or those instances. Their contents federate with Lemmy.ml instance.

Moreover, only 22% of internet is behind Cloudflare. You missed the part where I said I refuse to use a Cloudflare service where there is no throwaway account possibilities or no privacy/anonymity repercussions. That is most of Cloudflare sites. I have encountered probably 20ish CF sites in my life according to my criteria where I had to avoid using them.

Deebster, 15 days ago

I know how federation works, but look at the network inspector and you’ll see you’re pulling a lot of images from Cloudflare-proxied sites (or you’re missing a lot, if you’ve blacklisted them).

Anyway, I only meant that even Lemmy, with its anti-corporate culture, is still heavily using Cloudflare. “Only” 22% is still a lot in my book.

I’m interested as to your motives - are you doing this as a boycott, and/or to protect your privacy (or similar)? Also, are you blocking domains one-by-one, or are doing something like using firewall rules?

Scolding0513, 16 days ago

fully agreed. if i have to use a CF site i make absolutely sure im using a dedicated IP with useless disposable info/creds

sometimes I just close the site and never go back, I’m so sick of seeing it.

SquiffSquiff, 16 days ago

It’s not that you’re wrong. It’s more that I don’t understand what you’re proposing as an alternative. To add to the comments here pointing out that that’s how CDNs work: for many designs of website, the CDN essentially is the website, being served from a cache by the provider. Even when this isn’t the case, you would normally have a load balancer in front of whatever was serving your website so that if you need to swap out the server for maintenance upgrade, etc. you don’t need to tell who your visitors to go to a different address. In that case, your certificate would be attached to load balancer rather than the server behind it.

If this was a 1990s and I were trying to run my own server on my own hardware in my bedroom, you might have a point, but please explain how you would implement an alternative in any meaningful way today.

myliltoehurts, 16 days ago

Honestly, even if you don’t terminate SSL right until your very own app server, it’s still based on the assumption that whoever holds the root cert for your certificate is trustworthy.

The thing that has actually scared me with CF is the way their rules work. I am not even sure what’s the verification step to get to this, but if there is a configured page rule in a different CF account for your domain that points at cloudflare (I.e. the orange cloud), you essentially can’t control your domain as long as it’s pointing at CF (I think this sentence is a bit confusing so an alternative explanation: your domain is pointing DNS at your own CF account, in your CF account you have enabled proxying for your domain, some other CF account has a page rule for your domain, that rule is now in control). The rule in some other account will control it.

It has happened to us at work and I had to escalate with their support to get them to remove the rule from the other cloudflare account so we can get back control of our domain while using CF. Their standard response is for you to find and ask the other CF account to remove the rule for your domain.

This is a pretty common issue with gitbook, even the gitbook CEO was surprised CF does this.

SquiffSquiff, 16 days ago

Thanks. This is pushing the limits of my current understanding, but unless I’m mistaken, this reads like ‘anyone who chooses may hijack part of your domain at any time if you both use cloudflare’. Sounds crazy.

xilona, 16 days ago

Well put!

I’ve been saying this since they made their services available…Nobody listened to me.

Usually when I said sth. like you mentioned, people look at me like they look today:

Ohhh…You are a conspiracy theorist…

No mate, I have a better understanding of the fucking computers and technology because I do this for a few decades…

Hoping they will listen to you!

Scolding0513, 16 days ago

factual statements

people won’t listen because they know it’s true but dont wanna admit. willful ignorance

IphtashuFitz, 16 days ago

I hope you realize that virtually every CDN provider does the exact same thing in similar ways. Sites that use Akamai, AWS, Google cloud, Fastly, etc. all give those companies access to unencrypted content. It’s just how CDNs work…

Scolding0513, 16 days ago

ofc. they are all catch-alls for the NSA. people think the NSA is monitoring traffic as in looking over our shoulders. like direct interception. nope, they just let a few megacorps convince the entire internet to pass everything through their servers, then buy off all the data.

Once again, the earthly principle of all things being ultimately voluntarily, is still true.

Reddfugee42, 16 days ago

Yeah, the NSA isn’t already completely integrated into telco itself. It needs these other companies to execute its tasks. You get it.

Scolding0513, 16 days ago

if they want to bypass all TLS, then yes, mr smarty pants

tarmarbar, 15 days ago

I think he’s saying they don’t have to if they can read it off of your pc or the server before it’s even encrypted. OS backdoors, in-app backdoors, hardware backdoors inside the CPU like Intel ME…

Scolding0513, 15 days ago

there is a difference between targetted attacks like that and straight allowing them to dragnet you and millions of others

tarmarbar, 15 days ago

I’m not arguing for cloud flare hahahh it’s horrible. I’m just saying, it’s just one of many ways your data is taken. I don’t see why the backdoors I listed should be used for targeted “attacks” only. They call it telemetry and it’s “used to improve the product you use” hehehh

Reddfugee42, 15 days ago

If you don’t think the NSA can read standard web encryption, well, that’s just adorable

TimLovesTech, 17 days ago

So does everyone here that fears Cloudflare as secretly out to get them not believe that the NSA doesn’t have their hooks in all the major datacenters? The same datacenters used by all the major web hosts people are using to “self host” for privacy.

Personally I think you have to have faith at some point that everything from your node to the destination is on the up-and-up unless you have a concrete reason to assume otherwise. Otherwise you should be suspicious of your ISP’s network and every switch/router/firewall/node your data traverses on the internet. And being that paranoid basically means anything you didn’t review the code of and compile yourself should be out of bounds.

xilona, 16 days ago

Not if you have everything “on premises” under your control and doing the hard work of keeping that infrastructure up and running. Yeah, that is a lot of effort, but still doable!

Someone asked me: Does it worth it? I let you answer that question yourself 🙂

TimLovesTech, 16 days ago

Agreed, it can work for those wanting to be an admin (and know enough to be “dangerous”). I think the bigger issue comes when you want to open services to the internet, because unless you are an admin you probably don’t want to do that without a proxy (and possibly firewall) of some kind in front of your home network. Which is kinda what I was thinking with this anti-Cloudflare post. If you are interacting with the Internet you have to trust a network and hardware outside of your own. And I think it’s naive to fear the 3-letter orgs being inside Cloudflare, and then thinking that putting your data in a datacenter you don’t control is any “safer”.

I think ultimately if the 3 letter groups want your data that bad because you’re on some list, I think the internet as a whole is something you should probably be avoiding anyways. And for randoms, if they are sweeping up data like that you can be sure they would do it at more than just Cloudflare.

bokherif, 17 days ago

My man thinks he has privacy lol. Any CDN that provides WAF capabilities will inject themselves in the middle to inspect the traffic. This does not mean they don’t respect your privacy. If you think the three letter bureaus let you have your privacy with anything, you’re wrong. Privacy is a long dead thing of the past. You can’t even hide your data from companies that want to make a profit off your data, let alone the three letter government agencies. The government monitors and has access to every digital device known to regular consumers, beit in the US, CN or any other country.

orcrist, 16 days ago

I think you were doing all right until you got to the end, where you went into hardcore conspiracy theory mode. But even at the beginning, you were oversimplifying, which made your analysis weak. In reality, there are many different attackers willing to spend different amounts of time and money. When we take steps to improve security, we discourage some of those attackers even if we don’t stop them all.

Tinkerer, 17 days ago (edited 17 days ago)

So what provider does everyone recommend instead of cloudflare for proxy? I use cloudflare to protect all my websites but I’ve been trying to find some other place to proxy them from.

TimLovesTech, 17 days ago

This rant is about using Cloudflare as a proxy, nothing to do with who you buy your domain name from.

hperrin, 16 days ago

Do you need to proxy?

Tinkerer, 16 days ago

I mean no but the added security kind of trumps everything else. It helps to not expose my public IP and the added bonus of firewall rules too.

orcrist, 16 days ago

That all depends on your setup. If your website is on a VPS, why are you adding the extra security? Are you adding extra security? I think one of the points is that you’re taking away security.

And if you need firewall rules, maybe you should put the firewall rules on your firewall. Why would you rely on someone else’s firewall?

Tinkerer, 16 days ago

I host all my stuff locally including my nginx proxy manager and I do also have opnsense firewall rules with geoip blocking as well.

InFerNo, 16 days ago

Does your site actually need protection from cloudflare? Have you been attacked?

hellfire103, 17 days ago (edited 17 days ago)

Welp. Guess now is as good a time as any for me to switch to deSEC…

starman, 17 days ago (edited 17 days ago)

BTW, can someone recommend me nice alternative for fast and free static website hosting?

I tried GitHub Pages, but I couldn’t get it working with subdomains.

glowie, 17 days ago

Codeberg pages

starman, 17 days ago

Thanks, I’ll try it

Oha, 17 days ago

Use that random laptop/pc/phone/rasperry pi/whatever you have laying around

Emotet, 17 days ago

Only do that if you know how to properly secure your server and your (V)LAN, if you host from your residential connection (and your ISP supports it).

starman, 17 days ago

Unfortunately I can’t do that with my ISP. Cloudflare tunnel would be an option, but out of obvious reasons I don’t want to use it.

I think I’ll try Codeberg Pages.

Anyway, thanks for your comment.

Oha, 17 days ago

codeberg seems to be pretty decent. can also recommend neocities if you only have static stuff.They are one of least bullshit hoster ive ever seen

possiblylinux127, 17 days ago

If you aren’t hosting it isn’t private. It is a rock and a hard place.

TechNerdWizard42, 17 days ago

Very true. But nobody cares or believes it. When you start saying that US made hardware like network switches, cryptographic algorithms, telecom radios, etc all have backdoors to the 3 letter agencies in 5 eyes plus the internet distribution over cloudfare or “the cloud” in Google, Amazon, Microsoft, then people just think you’re a tin foil hat conspiracist.

The people are too stupid and ignorant to care enough to demand change. Why did the US lobby so hard to get Huawei off market? Because of course there are backdoors into the Chinese intelligence agencies. JUST LIKE US DEVICES! But nobody seems to make that correlation. China bad, China hardware spying bad, is the only thing they can get in their heads.

Good to bring it up, but nothing will change. 99.9% of people don’t know what DNS or proxiing or caching is let alone Cloudfare. It’s just “the internet”. Some are aware of some agencies the US and five eyes have, but most don’t believe what they actually do and are capable of. The US is the best producer of propaganda in the world. Hollywood is amazing at it, as are US media sources. The FISA bill that just came up for reauthorization and passed had a whole PR campaign about catching terrorists and stopping Russia and China and Hamas. Nobody stopped to think how and why they even have any of that info in the first place and how it’s collected.

Keep being the crazy uncle ranting about government spying because the world needs it.

Harrison, 17 days ago

I’m all for healthy paranoia, keeping my attack surface small. That’s just professional IT ops.

Incendiary statements like saying US intelligence compromised the supply chain with hidden backdoors, those really do need to be substantiated to not sound like a crazy uncle. Our adversaries have counterintelligence also, they aren’t incompetent, and if Cisco or Juniper or whatever planted backdoors in hardware shipped to China, the Chinese would make a ton of noise about it. And so would we; Huawei was banned without any substantiated proof, out of fears that if used, their 5G infra could have hidden backdoors and the hardware would be so widely distributed that it would be onerous to replace.

glowie, 17 days ago

The Chinese are still laughing because they covertly using their EV cars as trojans

TechNerdWizard42, 17 days ago

Same reason why Teslas are banned on Chinese military bases. Data goes back to US servers that are accessible by the US government at any time.

possiblylinux127, 17 days ago

True, but that isn’t a justification for the Chinese government attacking human rights.

TechNerdWizard42, 16 days ago

And what is the justification for the US attacking human rights?

possiblylinux127, 16 days ago

The different in the US is that the US constitution grants US citizens protection and protects against totally tyrany. It is very much not perfect and the US is full of problems but at the end of the day I can still have my own beliefs without being in danger. Mass surveillance is very dangerous and I think it is a violation of what the US should stand for but the US still protects freedom.

Also I do not think the US should be compared to China. At the end of the day two wrongs do not make a right. We should uphold strong ethics and be champions of individual freedom and democracy. We should challenge anything that we disagree with as the people need to be active in the government. If you challenge the state party in China you will be jailed or worse.

The US has some dark history but we don’t bury it. Think slavery, Asian interment camps and South American conquest.

TechNerdWizard42, 15 days ago

Lol that piece paper is not a god. It’s useless jibberish written by traitors starting a now failed nation.

You have no rights in the USA. Everything you’re granted as a right, you are also denied as a right by other laws. It’s the playbook of a tyrannical society. Name ANY law that you have a right to, and then look up to find another law taking that exact right away from you.

Just like a tyrannical society, you’re guaranteed nothing. But you can fly under the radar if you agree with the political powers that be. Which is no different than any country at any point in history.

glowie, 16 days ago

I’m being downvoted for telling the truth?

TechNerdWizard42, 17 days ago

There is substantiated proof of Cisco and Juniper switches having US government backdoors through the management ports. They also have the capability of decrypting everything that passes through them and mirroring to an external host.

I cannot say any more other than you will find that the NSA continuously denied all the backdoors that global security researchers were finding and Cisco denied putting them in. You will also find in leaked Snowden documents absolute proof that the NSA was behind it and did implement the backdoors and they do exist and work.

I at the time being a lowly semiconductor designer with access to unreleased networking gear from the big guys, cannot say anything about what I know those spying piece of shit devices do. But I will say, go look up the Snowden documents. They speak louder than any random on the internet.

And China has made a stink. It’s one reason their great fire wall is setup. It does somewhat prevent citizens from using western tools, but they know they do and really don’t care much. What it really is, is a way to monitor everything in and out. All the edge is Chinese hardware, no backdoors for the five eyes. Those prevent the backdoors, that are known or theorized, to be used. So essentially they are backdoored equipment inside a security fence that disallows the backdoor to establish a connection. Bad actors from within could make this bad for China. Or very very tricky phone home algorithms, but you have to be careful how it’s implemented in unfriendly territory.

Most of the other countries just don’t give a crap. If the Ivory Coasts data is being spied on by the 5 eyes or China, they don’t care. Nobody cares about them either. It’s just the sad state of world power. Those that care, have a side.

possiblylinux127, 17 days ago

Did you seriously just say that the Chinese firewall is to prevent backdoors? Fun fact, it isn’t. It is a censorship and control tool that keeps the Chinese people from seeing anything but the official narrative.

I do agree that hardware backdoors are bad though regardless of the country. We need more transparency so that multiple parties are monitoring for bad activity.

NuclearDolphin, 16 days ago

You’re both completely wrong. This is the narrative the five eyes and three letters need you to believe.

More important and more funded than domestic spying, US intelligence exists to facilitate regime change. The objective is to have both dragnet and targeted surveillance to obtain leverage (for strategic leverage, blackmail, or comms interception) over foreign political, social, and business leaders so they can maximize the unequal exchange between the US & developing countries.

Keeping Africa, South America, the Middle East, and South East Asia from developing through political and social instability not only prevents them from competing with US exports, but more importantly keeps their economies dependent on natural resource exports, which they need to sell for cheap because they are dependent on technology imports.

China as a manufacturing powerhouse threatens these unequal trade arrangements by supplying these undeveloped or developing countries with manufactured goods and technology, and thus is one of the primary targets of US covert regime change operations. (Also why you see news media crying bloody murder about China’s “dept trap diplomacy”). Much of this also applies to other developing powers that resist being imperialized or oppose US geopolitical goals like the USSR/Russia and Iran.

So purpose #1 of the great firewall is to prevent the US from controlling its social and technology sphere and using it to cause instability.

Purpose #2 is economic protectionism for China’s high tech sector. China knows that as long as it remains primarily industrial / low tech manufacturer, it will always be threatened by US intervention.

By moving to high tech, China can eliminate its reliance on Western technology imports, eliminate threat vectors for adversaries to slip in, and let other rising nations like Vietnam, Brazil, Malaysia, and Mexico take some of the heat off them by outsourcing its manufacturing there. China also gets to benefit by having cutting edge tech that will benefit its public health, increase education levels, strengthen its military, and form the basis of its post-industrial economy.

China “enforcing the official narrative” insofar as controlling public opinion is of far lower importance than denying the west avenues to destroy its society. China is incredibly diverse and a quick peek into Chinese social media reveals no shortage of western culture fetishizers, religious quacks, conspiracy theorists, anti-vaxxers, capitalist enthusiasts, shit talkers about political figures, and people pushing back on “the official narrative”. VPN usage is widespread. People read, share, and meme western news and social media.

Yes they censor posts, no they don’t do that great of a job at it…because the goal isn’t censorship, its about denying the West the ability to exploit discontent to destabilize the country.

See also:

• Tibet in the 50s & 60s (notice the gap here, when the US thought China would be a useful bludgeon against the Soviet Union & allies)
• Student protests in 1989
• Honk Kong in 2019
• Xinjiang when the US was in Afghanistan
• Taiwan tensions and weapons sales ramping up now

All of these being natural internal tensions exploited with great effort and to great effect by the US through mass media campaigns, radicalizing extremist and separatist groups, weapons transfers, and direct involvement in helping people commit violence.

And the US isn’t Russia buying $10 million worth of Facebook ads and running not farms, this is the most developed, most funded, and most sophisticated intelligence apparatus in history. One so large, people with an interest in politics and spying, cannot name all the publicly known agencies without missing 5-10.

You can quote me on this, if the US were to fall in the coming decades, the firewall would also fall within the year. Though, I suspect the US will just languish with internal infighting once the petrodollar loses reserve currency status and China takes the firewall down around 2035 once there aren’t powers posing a credible threat to its security.

possiblylinux127, 16 days ago

You can tell your self what ever you want but China still attacks journalists. You can’t even get on Reddit in China or use Signal or other encryption. It has nothing to do economic prosperity or anything like that. China is an authoritarian government who doesn’t want to lose control.

NuclearDolphin, 16 days ago

You can’t even get on Reddit in China

Oh no, the horror!

Signal or other encryption

Weird, that’s how I kept in contact with my family when I was there.

It has nothing to do economic prosperity or anything like that

plugs ears LA LA LA LA LA

China is an authoritarian government who doesn’t want to lose control.

wet_fart_noise.flac

TechNerdWizard42, 16 days ago

What I said doesn’t disagree with what you said.

possiblylinux127, 17 days ago

There is a ton a proof of Chinese hardware backdoors. It started with some dude wondering what a particular chip on the board did.

TheAnonymouseJoker, 16 days ago

The Superchip China microchip spying story by Bloomberg was a conspiracy theory long proven false. Even Amazon had to say it is too ridiculous.

possiblylinux127, 16 days ago

It has been verified by multiple sources. There were even some YouTube’s who tested it.

It isn’t something you can ignore because you like China

TheAnonymouseJoker, 16 days ago

There was no verification. It was propaganda created by USA’s Bloomberg as part of its annually funded agenda to defame China.

Yes I like China because they are a morally great country, do good for their citizens, help keep PPP high for most people on earth, and do not bomb or genocide whoever they like. They also hang to death corrupt rich people, drug traffickers and sex traffickers.

Supermicrochip conspiracy had zero validity in any shape, size or form.

TrickDacy, 17 days ago

nobody cares or believes it

I mean, this community exists because people care and believe it. But sure doom, gloom, etc

Scolding0513, 17 days ago

factual statements. many people do know and care, but yeah, most people have no freaking idea what’s going on, let alone care. Even “privacy” people often don’t care.

TheAnonymouseJoker, 16 days ago

Why did the US lobby so hard to get Huawei off market? Because of course there are backdoors into the Chinese intelligence agencies. JUST LIKE US DEVICES!

Keep being the crazy uncle ranting about government spying because the world needs it.

Dunning-Kruger Pro max ultra. Believing in nonsense like crazy uncle is never helpful.

Huawei was banned because Apple, the national tech brand of USA, was butt hurt that Huawei overtook it in marketshare globally. And that Huawei refused to bake in NSA backdoors into Huawei devices with no backdooring. Western Big Tech dislikes that people can have any hardware that is clean of NSA backdoors, otherwise it would have been possible long ago to have commonly available backdoor free hardware in western countries.

Just because western countries do crazy shit, does not mean every country does.

Harrison, 17 days ago

Cloudflare is a MITM by design. Calling it an attack is disingenuous; you’re signing up for the service of your own free will, not a victim.

If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren’t doing that.

So then the question becomes whether those nefarious three letter agencies penetrated Cloudflare with APT tools and are silently listening to everything. Our adversaries are certainly trying, China, Russia, Iran, etc. If the NSA (which lacks a mandate to act on US soil, and CF is a US company) or perhaps the FBI hacked a US company, particularly one that covers like a third of the internet like Cloudflare, that would be a truly enormous scandal.

But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don’t use it.

FaceDeer, 17 days ago

I could imagine the NSA embedding an agent inside Cloudflare specifically to keep an eye out for any foreign agents also being embedded in Cloudflare, rather than to dig out its secrets for themselves.

Harrison, 17 days ago

I’m sure the TLAs work closely in conjunction with all companies responsible for internet infrastructure, yeah. That is their mandate.

LazerDickMcCheese, 17 days ago

They have the money to do it. And historically, the CIA has done similar things globally for decades

BearOfaTime, 16 days ago

In the 90’s telcos were exposed as providing a connection for feds to duplicate any and all comms.

Scolding0513, 17 days ago (edited 17 days ago)

If a substantiated news article came out showing that Cloudflare shared SSL keys or otherwise gave direct access to various intelligence agencies without a court order, that would essentially destroy the company. So they certainly aren’t doing that.

excuse me, what?? The Snowden documents came out showing all these companies literally giving over all their data to the NSA like it was water from a spring, and they are all still in business. AT&T, facebook, google, microsoft, dropbox, etc. Yet you claim somehow cloudflare would be destroyed?? This isnt even funny bro.

more recently, Hetzner was showed to have given backdoor access to the feds, yet people still buy VPSs from them, and in fact, 20% of TOR guard nodes are sitting on their infra RIGHT NOW!

Case in point: people using such companies either don’t care or are really ignorant or stupid.

sip, 16 days ago

isn’t the US law so that companies need to cooperate with the alphabet boys? there’s no “safe” place

Scolding0513, 16 days ago

not in the US anyway

bc93, 16 days ago

deleted_by_author

Scolding0513, 16 days ago

people love to forget. History is so important, even short term history

metacolon, 14 days ago

Can you give a source on the Hetzner claim? I’m curious and didn’t find anything online

Scolding0513, 14 days ago

just search hetzner police backdoor. it’s all over the place. unless you’re using google and google censored it. idk, i dont use google.

Coasting0942, 17 days ago

I don’t believe that the NSA has a portal giving them direct access (probably naive).

They definitely have a secret agent 🕵️‍♀️ nerd on the inside providing intel on the structure. Maybe inject exploits or guide them when needed.

They definitely have a direct e-mail address to cloudflare legal to serve national security letters that cloud flare is obligated to comply with. Which is a portal with extra steps, but which cloud flare can raise a fuss if they notice the requests are turning into vacuum cleaners, and not union membership research.

plz1, 16 days ago

Internet traffic gets mirrored to NSA data centers, that’s old news from the Snowden leak.

possiblylinux127, 17 days ago

What concerns me is that we really do not know what the three letter agencies are capable of. They operate outside of the demographic government. Many Americans are increasingly losing faith in the government and secret government programs do not help. It causes what is known as a chilling effect. People start self censoring which is very dangerous and harmful to democracy. Democracy needs transparency not secrecy.

anarchist, 17 days ago

Maybe I’m just jaded and cynical but it won’t “destroy the company” even if it comes out like that. The laws don’t apply to people at the top

milicent_bystandr, 16 days ago

But in the end, yes, it is a MITM. If you need your data to be E2E encrypted, don’t use it.

Or do use E2E encryption. You can still have a layer of encryption within the SSL tunnel that cloudflare controls. Like you’d do for an E2EE filestore: the webserver (and cloudflare) see the website woosh by, and all that you do on it, but the files themselves are encrypted opaquely to both, and decrypted only by a browser at the other end.

waitmarks, 16 days ago

the NSA (which lacks a mandate to act on US soil, and CF is a US company)

They absolutely do have a mandate to operate on US soil, that is actually the main mandate and there is a separate military agency (CNMF) that operates on foreign soil. They are both headed by the same guy though so they might as well just be one agency.

jjlinux, 17 days ago

I’m basically running all my self-hosted services over CF tunnels. Does anyone have a suggestion for an alternative to this? I’d like to remove CF from my life, but not at the expense of poking port holes in my FW.

Harrison, 17 days ago

Yes there are a bunch of self-hosted options like frp, all of which require an endpoint on the internet somewhere, typically a cheap or even free VM. Here’s a pretty comprehensive list:

github.com/anderspitman/awesome-tunneling

jjlinux, 17 days ago

Thanks so much. Now I have another way to avoid my family this weekend 🤣🤣

Harrison, 17 days ago

Remember not to compromise security in favor of privacy. To me they’re both important, but security wins every time.

Remember that services directly accessible over tunnels, whether from cloudflare or frp or ngrok or whatever, are directly accessible over the internet. So if any of those various self-hosted services have a remote vulnerability, and EVERYTHING does sooner or later, you will be exposed. This is why I personally WG VPN to my home LAN rather than exposing most of my stuff via any sort of tunnel. Tailscale is another option I often recommend.

I do use CF tunnels for specific purposes; Home Assistant Google Home integration for example, but I secure that via their “zero trust” authentication by validating incoming IP ranges, so only Google can reach the tunnel in the first place, everybody else is stopped by Cloudflare. For other services with human users, I have them authenticate via github or google oauth first. I also run all services accessible by the internet by any means on a restricted VLAN firewalled off from the rest of my LAN.

jjlinux, 17 days ago

Agreed. I have a lot of homework to do before I even know which way to leap to.

possiblylinux127, 17 days ago

Wireguard and a cheap VPS

scytale, 17 days ago

Isn’t it a money thing? I kinda remember reading somewhere that big corporate clients basically can have their traffic pass through without decryption because they pay enough for the service. So as usual, it’s the small individual user who gets shafted.